Azure – Cloud Governance – Management Group
I hope you all are doing good !!
What is Management Group :
Today we will discuss about Management Group, a new topic of Azure / Cloud Governance. Many organisation, having different subscriptions, specific to different environments, regions and departments etc. So that organisation can set different configurations, different polices or different compliance for each subscription as per the environments or regions. It was very hard to manage multiple Azure subscriptions and admin had to apply all the governance and policies separately to each and every subscription.
We need a efficiently way to manage access, policies, and compliance for these subscriptions. Azure Management Group allows us to manage multiple Azure subscriptions under a single governance model. We logically organize subscriptions into containers called “Management Groups” and apply our governance policies to the management groups. All subscriptions within a management group automatically inherit the conditions applied to the management group.
Sample Hierarchy of management groups and subscription :
Important facts about management groups :
- 10,000 management groups can be supported in a single directory.
- A management group hierarchy can have up to six levels of depth without Root Level and subscription level.
- One management group and subscription can’t have multiple parents but each management group can have many children.
- All subscriptions and management groups are within a single hierarchy in each directory
Important facts about the Root management group from one Microsoft blog:
- The root management group can’t be moved or deleted, unlike other management groups.
- All subscriptions and management groups fold up to the one root management group within the directory.
- New subscriptions are automatically defaulted to the root management group when created.
- All Azure customers can see the root management group, but not all customers have access to manage that root management group.
- Everyone who has access to a subscription can see the context of where that subscription is in the hierarchy.
- No one is given default access to the root management group. Azure AD Global Administrators are the only users that can elevate themselves to gain access. Once they have access, the global administrators can assign any RBAC role to other users to manage.
Create a management group in portal :
1. Connect to your Azure portal dashboard using your subscription account. If you don’t have any subscription, in that case you can get trial Azure subscription with one-month of validity. Then you can connect to the azure portal dashboard as in following figure.
2. Select All services > Management groups and this will open with Management Group page as shown in the following figure.
3. On the Management Group page, click Start using Management groups to start with adding MG. This will open popup and allowing to fill the required information and Click on Save button, as in the following figure.
The Management Group ID is the directory unique identifier that is used to submit commands on this management group. This identifier is not editable after creation as it is used throughout the Azure system to identify this group. The Display name of Management Group can be renamed after creation.
When adding the first Management Group (MSTechsMG), it created under Tenant Root Group because as we discussed in above section Tenant Root Group will be the root group always and it cannot be move into any other Management Group, as shown in the following figure.
Let add one child Management Group (KJMG) under recently created MSTechsMG group. Go into detail of MSTechsMG group and from top menu, click +Add Management Group to add new child MG group as shown in the following figure.
As in the following figure, we can see, a management group provides many options to manage a Management Group, like Move, Add Subscription, Add Management group, Rename and Delete etc.
Move Management Group :
As we know that we can move a child Management group to any other Management Group. For example let’s move our child KJMG group from MSTechsMG to Tenant Root Group .
Select and go to the detail overview page of KJMG group and click –>Move link and then select New parent management group and then click Save to move MG group from old parent to new parent MG group.
In the following figure, we can see that the parent of KJMG management group has been changed after moving from MSTechsMG group.
Add New Subscription to Management Group :
Now we will discuss, how to add a new subscription to a management group. In this article we will add a subscription to our MSTechsMG group. So to proceed , let’s go to detail page of MSTechsMG group. from detail page click on +Add Subscription link as shown in the following figure.
As shown in the above figure, we need to select the required subscription and click Save button to add the subscription. In the following figure showing after adding subscription to MSTechsMG group.
Create a management group in power-shell:
Within PowerShell, we use the New-AzManagementGroup cmdlet as in following sample code. More information about power shell command can be found here.
New-AzManagementGroup -GroupName 'Contoso' -DisplayName 'Contoso Group' -ParentId '/providers/Microsoft.Management/managementGroups/ManasTenant'
Create a management group in CLI:
Following sample code use to create Management Group. More information about CLI command can be found here.
az account management-group create --name 'ManasTenant'
I hope this article gives you a basic idea about Azure Management Group.
Thanks for reading 🙂
Keep reading, share your thoughts, experiences. Feel free to contact us to discuss more. If you have any suggestion / feedback / doubts, you are most welcome.
Stay tuned on Knowledge-Junction, will come up with more such articles.